Airmon-ng

Description

This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status.

Usage

<start|stop> indicates if you wish to start or stop the interface. (Mandatory)

<interface> specifies the interface. (Mandatory)

[channel] optionally set the card to a specific channel.

<check|check kill> “check” will show any processes that might interfere with the aircrack-ng suite. It is strongly recommended that these processes be eliminated prior to using the aircrack-ng suite. “check kill” will check and kill off processes that might interfere with the aircrack-ng suite. For “check kill” see

Usage Examples

Typical Uses

Check status and/or listing wireless interfaces

Checking for interfering processes

When putting a card into monitor mode, it will automatically check for interfering processes. It can also be done manually by running the following command:

~# airmon-ng check
Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
718 NetworkManager
870 dhclient
1104 avahi-daemon
1105 avahi-daemon
1115 wpa_supplicant

Don't forget to restart the network manager. It is usually done with the following command:

service network-manager start

Madwifi-ng driver monitor mode

This describes how to put your interface into monitor mode. After starting your computer, enter “iwconfig” to show you the current status of the wireless interfaces. It likely looks similar the following output.

You can see ath0 is in monitor mode. Also make sure the essid, nickname and encryption have not been set. The access point shows the MAC address of the card. The MAC address of the card is only shown when using the madwifi-ng driver. Other drivers do not show the MAC address of the card.

If ath1/ath2 etc. is running then stop them first prior to all the commands above:

airmon-ng stop ath1

You can set the channel number by adding it to the end: airmon-ng start wifi0 9

Usage Tips

Confirming the Card is in Monitor Mode

To confirm that the card is in monitor mode, run the command “iwconfig”. You can then confirm the mode is “monitor” and the interface name.

For the madwifi-ng driver, the access point field from iwconfig shows your the MAC address of the wireless card.

Determining the Current Channel

To determine the current channel, enter “iwlist <interface name> channel”. If you will be working with a specific access point, then the current channel of the card should match that of the AP. In this case, it is a good idea to include the channel number when running the initial airmon-ng command.

How Do I Put My Card Back into Managed Mode?

It depends on which driver you are using. For all drivers except madwifi-ng:

airmon-ng stop <interface name>

For madwifi-ng, first stop ALL interfaces:

airmon-ng stop athX

Where X is 0, 1, 2 etc. Do a stop for each interface that iwconfig lists.

For mac80211 drivers, nothing has to be done, as airmon-ng keeps the managed interface alongside the monitor mode one (mac80211 uses interface types rather than modes of operation). If you no longer need the monitor interface and want to remove it, use the following:

airmon-ng stop monX

X is the monitor interface number - 0 unless you run multiple monitoring interfaces simultaneously.

Debugging issues

airmon-ng has two options to show more information, which can be useful when reporting or debugging issues.

--verbose flag

It gives information about the system as well as details about the wireless card.

root@kali:~# airmon-ng --verbose
No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2019.1
Codename: n/a
Linux kali 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
Detected VM using lspci
This appears to be a VMware Virtual Machine
If your system supports VT-d, it may be possible to use PCI devices
If your system does not support VT-d, you can only use USB wifi cards
K indicates driver is from 4.19.0-kali4-amd64
V indicates driver comes directly from the vendor, almost certainly a bad thing
S indicates driver comes from the staging tree, these drivers are meant for reference not actual use, BEWARE
? indicates we do not know where the driver comes from... report this
X[PHY]Interface Driver[Stack]-FirmwareRev Chipset Extended Info
K[phy1]wlan0 ath9k_htc[mac80211]-1.4 Qualcomm Atheros Communications AR9271 802.11n mode managed

In this case, the following additional informatio can be seen:

Detailed information about the Linux distribution as well as kernel version

System is a virtual machine (and detailed information about supported features)

Usage Troubleshooting

Madwifi-ng

Quite often, the standard scripts on a linux distribution will setup ath0 and or additional athX interfaces. These must all be removed first per the instructions above. Another problem is that the script set fields such as essid, nickname and encryptions. Be sure these are all cleared.

Airmon-ng says the interface is not in monitor mode

~# airmon-ng stop wlan0mon
PHY Interface Driver Chipset
phy0 wlan0mon ath9k_htc Atheros Communications, Inc. AR9271 802.11n
You are trying to stop a device that isn't in monitor mode.
Doing so is a terrible idea, if you really want to do it then you
need to type 'iw wlan2mon del' yourself since it is a terrible idea.
Most likely you want to remove an interface called wlan[0-9]mon
If you feel you have reached this warning in error,
please report it.

It most likely mean the interface mode was changed from monitor to managed mode by a network manager. In this case, when stopping monitor mode, this is not a problem.

My interface was put in monitor mode but tools says it is not

It usually means the interface was put in monitor mode prior to killing network managers. And the network manager put the card back in managed mode.

Refer to the documentation above to kill network managers and put it back into monitor mode.

Interface athX number rising (ath0, ath1, ath2.... ath45..)

The original problem description and solution can be found in this forum thread.

Problem:
Every time the command “airmon-ng start wifi0 x” is run, a new interface is created as it should, but there where two problems. The first is that for each time airmon-ng is run on wifi0 the interface number on ath increases: the first time is ath1, the second ath2, the third ath3, and and so on. And this continues so in a short period of time it is up to ath56 and continuing to climb. Unloading the madwifi-ng driver, or rebooting the system has no effect, and the number of the interface created by airmon-ng continues to increase.

The second problem is that if you run airmon-ng on wifi0 the athXX created does not show as being shown as in Monitor mode, even though it is. This can be confirmed via iwconfig.

Interface ath1 created instead of ath0

This troubleshooting tip applies to madwifi-ng drivers. First try stopping each VAP interface that is running (“airmon-ng stop IFACE” where IFACE is the VAP name). You can obtain the list from iwconfig. Then do “airmon-ng start wifi0”.

If this does not resolve the problem then follow the advice in this thread.

Why do I get ioctl(SIOCGIFINDEX) failed?

Error message: "wlanconfig: command not found"

If you receive “wlanconfig: command not found” or similar then the wlanconfig command is missing from your system or is not in the the path. Use locate or find to determine if it is on your system and which directory it is in.

If it is missing from your system then make sure you have done a “make install” after compiling the madwifi-ng drivers. On Ubuntu, do “apt-get install madwifi-tools”.

If it is not in a directory in your path then move it there or add the directory to your path.

This means you have an old version of airmon-ng installed. Upgrade to at least v1.0-rc1. Preferably you should upgrade to the latest SVN version. See the installation page for more details. Also, don't forget you need to be root to use airmon-ng (or use sudo).

check kill fails

Distros from now on are going to adopt 'upstart' which is going to replace the /sbin/init daemon which manages services and tasks during boot.

Basically do:

service network-manager stop
service avahi-daemon stop
service upstart-udev-bridge stop

and then proceed with greping and killing the pids of dhclient and wpa_supplicant.

This is the only way to kill ALL of the potentially problematic pids for aireplay-ng permanently. The trick is the kill the daemons first and then terminate the 'tasks'.